andreika-git
/
cipher
mirror of https://github.com/andreika-git/cipher.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add chacha and ripemd160

This commit is contained in:
Wang Yaofu 2018-02-13 15:12:12 +08:00
parent d8398e22be
commit a165259d61
16 changed files with 1904 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Makefile.comm
View File

@ -2,14 +2,13 @@
#CFLAGS = -DDEBUG_LOG
CFLAGS = -DLINUX
CC=gcc -std=c++11 -g -O3 $(CFLAGS)
CC=gcc -std=c++11 -g $(CFLAGS)
CCC=gcc -std=c++11 -g $(CFLAGS)
CC=gcc -g -O3 $(CFLAGS)
CXX=gcc -std=c++11 -g $(CFLAGS)
SHARED_FLAG = -fPIC -shared
%.o : %.cpp
$(CC) $(INC) -c $< -o $@
$(CXX) $(INC) -c $< -o $@
%.o : %.c
$(CC) $(INC) -c $< -o $@
%.o : %.cc
$(CC) $(INC) -c $< -o $@
$(CXX) $(INC) -c $< -o $@

4
cipher/Makefile
View File

@ -4,8 +4,10 @@ INC += -I../
INC += -I./
SOURCES = $(foreach d,.,$(wildcard $(d)/*.c))
SOURCES += $(foreach d,.,$(wildcard $(d)/*.cpp))
SOURCES += $(foreach d,./aes,$(wildcard $(d)/*.cpp))
OBJS = $(patsubst %.c, %.o, $(SOURCES))
OBJS += md5key.o
OBJS += $(patsubst %.cpp, %.o, $(SOURCES))
CC += $(SHARED_FLAG)
all : libcipher.a

216
cipher/aes/aes.cpp Normal file
View File

@ -0,0 +1,216 @@
// Copyright (c) 2016-2017 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include "aes.hpp"
#include "common.h"
#include <assert.h>
#include <string.h>
extern "C" {
#include "ctaes/ctaes.c"
}
AES128Encrypt::AES128Encrypt(const unsigned char key[16])
{
AES128_init(&ctx, key);
}
AES128Encrypt::~AES128Encrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES128Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
{
AES128_encrypt(&ctx, 1, ciphertext, plaintext);
}
AES128Decrypt::AES128Decrypt(const unsigned char key[16])
{
AES128_init(&ctx, key);
}
AES128Decrypt::~AES128Decrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES128Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
{
AES128_decrypt(&ctx, 1, plaintext, ciphertext);
}
AES256Encrypt::AES256Encrypt(const unsigned char key[32])
{
AES256_init(&ctx, key);
}
AES256Encrypt::~AES256Encrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES256Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
{
AES256_encrypt(&ctx, 1, ciphertext, plaintext);
}
AES256Decrypt::AES256Decrypt(const unsigned char key[32])
{
AES256_init(&ctx, key);
}
AES256Decrypt::~AES256Decrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES256Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
{
AES256_decrypt(&ctx, 1, plaintext, ciphertext);
}
template <typename T>
static int CBCEncrypt(const T& enc, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
{
int written = 0;
int padsize = size % AES_BLOCKSIZE;
unsigned char mixed[AES_BLOCKSIZE];
if (!data || !size || !out)
return 0;
if (!pad && padsize != 0)
return 0;
memcpy(mixed, iv, AES_BLOCKSIZE);
// Write all but the last block
while (written + AES_BLOCKSIZE <= size) {
for (int i = 0; i != AES_BLOCKSIZE; i++)
mixed[i] ^= *data++;
enc.Encrypt(out + written, mixed);
memcpy(mixed, out + written, AES_BLOCKSIZE);
written += AES_BLOCKSIZE;
}
if (pad) {
// For all that remains, pad each byte with the value of the remaining
// space. If there is none, pad by a full block.
for (int i = 0; i != padsize; i++)
mixed[i] ^= *data++;
for (int i = padsize; i != AES_BLOCKSIZE; i++)
mixed[i] ^= AES_BLOCKSIZE - padsize;
enc.Encrypt(out + written, mixed);
written += AES_BLOCKSIZE;
}
return written;
}
template <typename T>
static int CBCDecrypt(const T& dec, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
{
int written = 0;
bool fail = false;
const unsigned char* prev = iv;
if (!data || !size || !out)
return 0;
if (size % AES_BLOCKSIZE != 0)
return 0;
// Decrypt all data. Padding will be checked in the output.
while (written != size) {
dec.Decrypt(out, data + written);
for (int i = 0; i != AES_BLOCKSIZE; i++)
*out++ ^= prev[i];
prev = data + written;
written += AES_BLOCKSIZE;
}
// When decrypting padding, attempt to run in constant-time
if (pad) {
// If used, padding size is the value of the last decrypted byte. For
// it to be valid, It must be between 1 and AES_BLOCKSIZE.
unsigned char padsize = *--out;
fail = !padsize | (padsize > AES_BLOCKSIZE);
// If not well-formed, treat it as though there's no padding.
padsize *= !fail;
// All padding must equal the last byte otherwise it's not well-formed
for (int i = AES_BLOCKSIZE; i != 0; i--)
fail |= ((i > AES_BLOCKSIZE - padsize) & (*out-- != padsize));
written -= padsize;
}
return written * !fail;
}
AES256CBCEncrypt::AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: enc(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
int AES256CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCEncrypt(enc, iv, data, size, pad, out);
}
AES256CBCEncrypt::~AES256CBCEncrypt()
{
memset(iv, 0, sizeof(iv));
}
AES256CBCDecrypt::AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: dec(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
int AES256CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCDecrypt(dec, iv, data, size, pad, out);
}
AES256CBCDecrypt::~AES256CBCDecrypt()
{
memset(iv, 0, sizeof(iv));
}
AES128CBCEncrypt::AES128CBCEncrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: enc(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
AES128CBCEncrypt::~AES128CBCEncrypt()
{
memset(iv, 0, AES_BLOCKSIZE);
}
int AES128CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCEncrypt(enc, iv, data, size, pad, out);
}
AES128CBCDecrypt::AES128CBCDecrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: dec(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
AES128CBCDecrypt::~AES128CBCDecrypt()
{
memset(iv, 0, AES_BLOCKSIZE);
}
int AES128CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCDecrypt(dec, iv, data, size, pad, out);
}

118
cipher/aes/aes.hpp Normal file
View File

@ -0,0 +1,118 @@
// Copyright (c) 2015-2017 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
//
// C++ wrapper around ctaes, a constant-time AES implementation
#ifndef BITCOIN_CRYPTO_AES_H
#define BITCOIN_CRYPTO_AES_H
extern "C" {
#include "ctaes/ctaes.h"
}
static const int AES_BLOCKSIZE = 16;
static const int AES128_KEYSIZE = 16;
static const int AES256_KEYSIZE = 32;
/** An encryption class for AES-128. */
class AES128Encrypt
{
private:
AES128_ctx ctx;
public:
explicit AES128Encrypt(const unsigned char key[16]);
~AES128Encrypt();
void Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const;
};
/** A decryption class for AES-128. */
class AES128Decrypt
{
private:
AES128_ctx ctx;
public:
explicit AES128Decrypt(const unsigned char key[16]);
~AES128Decrypt();
void Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const;
};
/** An encryption class for AES-256. */
class AES256Encrypt
{
private:
AES256_ctx ctx;
public:
explicit AES256Encrypt(const unsigned char key[32]);
~AES256Encrypt();
void Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const;
};
/** A decryption class for AES-256. */
class AES256Decrypt
{
private:
AES256_ctx ctx;
public:
explicit AES256Decrypt(const unsigned char key[32]);
~AES256Decrypt();
void Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const;
};
class AES256CBCEncrypt
{
public:
AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
~AES256CBCEncrypt();
int Encrypt(const unsigned char* data, int size, unsigned char* out) const;
private:
const AES256Encrypt enc;
const bool pad;
unsigned char iv[AES_BLOCKSIZE];
};
class AES256CBCDecrypt
{
public:
AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
~AES256CBCDecrypt();
int Decrypt(const unsigned char* data, int size, unsigned char* out) const;
private:
const AES256Decrypt dec;
const bool pad;
unsigned char iv[AES_BLOCKSIZE];
};
class AES128CBCEncrypt
{
public:
AES128CBCEncrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
~AES128CBCEncrypt();
int Encrypt(const unsigned char* data, int size, unsigned char* out) const;
private:
const AES128Encrypt enc;
const bool pad;
unsigned char iv[AES_BLOCKSIZE];
};
class AES128CBCDecrypt
{
public:
AES128CBCDecrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn);
~AES128CBCDecrypt();
int Decrypt(const unsigned char* data, int size, unsigned char* out) const;
private:
const AES128Decrypt dec;
const bool pad;
unsigned char iv[AES_BLOCKSIZE];
};
#endif // BITCOIN_CRYPTO_AES_H

BIN
cipher/aes/aes.o Normal file
View File

Binary file not shown.

180
cipher/chacha20.cpp Normal file
View File

@ -0,0 +1,180 @@
// Copyright (c) 2017 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
// Based on the public domain implementation 'merged' by D. J. Bernstein
// See https://cr.yp.to/chacha.html.
#include "common.h"
#include "chacha20.h"
#include <string.h>
constexpr static inline uint32_t rotl32(uint32_t v, int c) { return (v << c) | (v >> (32 - c)); }
#define QUARTERROUND(a,b,c,d) \
a += b; d = rotl32(d ^ a, 16); \
c += d; b = rotl32(b ^ c, 12); \
a += b; d = rotl32(d ^ a, 8); \
c += d; b = rotl32(b ^ c, 7);
static const unsigned char sigma[] = "expand 32-byte k";
static const unsigned char tau[] = "expand 16-byte k";
void ChaCha20::SetKey(const unsigned char* k, size_t keylen)
{
const unsigned char *constants;
input[4] = ReadLE32(k + 0);
input[5] = ReadLE32(k + 4);
input[6] = ReadLE32(k + 8);
input[7] = ReadLE32(k + 12);
if (keylen == 32) { /* recommended */
k += 16;
constants = sigma;
} else { /* keylen == 16 */
constants = tau;
}
input[8] = ReadLE32(k + 0);
input[9] = ReadLE32(k + 4);
input[10] = ReadLE32(k + 8);
input[11] = ReadLE32(k + 12);
input[0] = ReadLE32(constants + 0);
input[1] = ReadLE32(constants + 4);
input[2] = ReadLE32(constants + 8);
input[3] = ReadLE32(constants + 12);
input[12] = 0;
input[13] = 0;
input[14] = 0;
input[15] = 0;
}
ChaCha20::ChaCha20()
{
memset(input, 0, sizeof(input));
}
ChaCha20::ChaCha20(const unsigned char* k, size_t keylen)
{
SetKey(k, keylen);
}
void ChaCha20::SetIV(uint64_t iv)
{
input[14] = iv;
input[15] = iv >> 32;
}
void ChaCha20::Seek(uint64_t pos)
{
input[12] = pos;
input[13] = pos >> 32;
}
void ChaCha20::Output(unsigned char* c, size_t bytes)
{
uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
uint32_t j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
unsigned char *ctarget = nullptr;
unsigned char tmp[64];
unsigned int i;
if (!bytes) return;
j0 = input[0];
j1 = input[1];
j2 = input[2];
j3 = input[3];
j4 = input[4];
j5 = input[5];
j6 = input[6];
j7 = input[7];
j8 = input[8];
j9 = input[9];
j10 = input[10];
j11 = input[11];
j12 = input[12];
j13 = input[13];
j14 = input[14];
j15 = input[15];
for (;;) {
if (bytes < 64) {
ctarget = c;
c = tmp;
}
x0 = j0;
x1 = j1;
x2 = j2;
x3 = j3;
x4 = j4;
x5 = j5;
x6 = j6;
x7 = j7;
x8 = j8;
x9 = j9;
x10 = j10;
x11 = j11;
x12 = j12;
x13 = j13;
x14 = j14;
x15 = j15;
for (i = 20;i > 0;i -= 2) {
QUARTERROUND( x0, x4, x8,x12)
QUARTERROUND( x1, x5, x9,x13)
QUARTERROUND( x2, x6,x10,x14)
QUARTERROUND( x3, x7,x11,x15)
QUARTERROUND( x0, x5,x10,x15)
QUARTERROUND( x1, x6,x11,x12)
QUARTERROUND( x2, x7, x8,x13)
QUARTERROUND( x3, x4, x9,x14)
}
x0 += j0;
x1 += j1;
x2 += j2;
x3 += j3;
x4 += j4;
x5 += j5;
x6 += j6;
x7 += j7;
x8 += j8;
x9 += j9;
x10 += j10;
x11 += j11;
x12 += j12;
x13 += j13;
x14 += j14;
x15 += j15;
++j12;
if (!j12) ++j13;
WriteLE32(c + 0, x0);
WriteLE32(c + 4, x1);
WriteLE32(c + 8, x2);
WriteLE32(c + 12, x3);
WriteLE32(c + 16, x4);
WriteLE32(c + 20, x5);
WriteLE32(c + 24, x6);
WriteLE32(c + 28, x7);
WriteLE32(c + 32, x8);
WriteLE32(c + 36, x9);
WriteLE32(c + 40, x10);
WriteLE32(c + 44, x11);
WriteLE32(c + 48, x12);
WriteLE32(c + 52, x13);
WriteLE32(c + 56, x14);
WriteLE32(c + 60, x15);
if (bytes <= 64) {
if (bytes < 64) {
for (i = 0;i < bytes;++i) ctarget[i] = c[i];
}
input[12] = j12;
input[13] = j13;
return;
}
bytes -= 64;
c += 64;
}
}

26
cipher/chacha20.h Normal file
View File

@ -0,0 +1,26 @@
// Copyright (c) 2017 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#ifndef BITCOIN_CRYPTO_CHACHA20_H
#define BITCOIN_CRYPTO_CHACHA20_H
#include <stdint.h>
#include <stdlib.h>
/** A PRNG class for ChaCha20. */
class ChaCha20
{
private:
uint32_t input[16];
public:
ChaCha20();
ChaCha20(const unsigned char* key, size_t keylen);
void SetKey(const unsigned char* key, size_t keylen);
void SetIV(uint64_t iv);
void Seek(uint64_t pos);
void Output(unsigned char* output, size_t bytes);
};
#endif // BITCOIN_CRYPTO_CHACHA20_H

99
cipher/common.h Normal file
View File

@ -0,0 +1,99 @@
// Copyright (c) 2014-2017 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#ifndef BITCOIN_CRYPTO_COMMON_H
#define BITCOIN_CRYPTO_COMMON_H
#include <stdint.h>
#include <string.h>
#include <endian.h>
uint16_t static inline ReadLE16(const unsigned char* ptr)
{
uint16_t x;
memcpy((char*)&x, ptr, 2);
return le16toh(x);
}
uint32_t static inline ReadLE32(const unsigned char* ptr)
{
uint32_t x;
memcpy((char*)&x, ptr, 4);
return le32toh(x);
}
uint64_t static inline ReadLE64(const unsigned char* ptr)
{
uint64_t x;
memcpy((char*)&x, ptr, 8);
return le64toh(x);
}
void static inline WriteLE16(unsigned char* ptr, uint16_t x)
{
uint16_t v = htole16(x);
memcpy(ptr, (char*)&v, 2);
}
void static inline WriteLE32(unsigned char* ptr, uint32_t x)
{
uint32_t v = htole32(x);
memcpy(ptr, (char*)&v, 4);
}
void static inline WriteLE64(unsigned char* ptr, uint64_t x)
{
uint64_t v = htole64(x);
memcpy(ptr, (char*)&v, 8);
}
uint32_t static inline ReadBE32(const unsigned char* ptr)
{
uint32_t x;
memcpy((char*)&x, ptr, 4);
return be32toh(x);
}
uint64_t static inline ReadBE64(const unsigned char* ptr)
{
uint64_t x;
memcpy((char*)&x, ptr, 8);
return be64toh(x);
}
void static inline WriteBE32(unsigned char* ptr, uint32_t x)
{
uint32_t v = htobe32(x);
memcpy(ptr, (char*)&v, 4);
}
void static inline WriteBE64(unsigned char* ptr, uint64_t x)
{
uint64_t v = htobe64(x);
memcpy(ptr, (char*)&v, 8);
}
/** Return the smallest number n such that (x >> n) == 0 (or 64 if the highest bit in x is set. */
uint64_t static inline CountBits(uint64_t x)
{
#ifdef HAVE_DECL___BUILTIN_CLZL
if (sizeof(unsigned long) >= sizeof(uint64_t)) {
return x ? 8 * sizeof(unsigned long) - __builtin_clzl(x) : 0;
}
#endif
#ifdef HAVE_DECL___BUILTIN_CLZLL
if (sizeof(unsigned long long) >= sizeof(uint64_t)) {
return x ? 8 * sizeof(unsigned long long) - __builtin_clzll(x) : 0;
}
#endif
int ret = 0;
while (x) {
x >>= 1;
++ret;
}
return ret;
}
#endif // BITCOIN_CRYPTO_COMMON_H

21
cipher/ctaes/COPYING Normal file
View File

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2016 Pieter Wuille
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

41
cipher/ctaes/README.md Normal file
View File

@ -0,0 +1,41 @@
ctaes
=====
Simple C module for constant-time AES encryption and decryption.
Features:
* Simple, pure C code without any dependencies.
* No tables or data-dependent branches whatsoever, but using bit sliced approach from https://eprint.iacr.org/2009/129.pdf.
* Very small object code: slightly over 4k of executable code when compiled with -Os.
* Slower than implementations based on precomputed tables or specialized instructions, but can do ~15 MB/s on modern CPUs.
Performance
-----------
Compiled with GCC 5.3.1 with -O3, on an Intel(R) Core(TM) i7-4800MQ CPU, numbers in CPU cycles:
| Algorithm | Key schedule | Encryption per byte | Decryption per byte |
| --------- | ------------:| -------------------:| -------------------:|
| AES-128 | 2.8k | 154 | 161 |
| AES-192 | 3.1k | 169 | 181 |
| AES-256 | 4.0k | 191 | 203 |
Build steps
-----------
Object code:
$ gcc -O3 ctaes.c -c -o ctaes.o
Tests:
$ gcc -O3 ctaes.c test.c -o test
Benchmark:
$ gcc -O3 ctaes.c bench.c -o bench
Review
------
Results of a formal review of the code can be found in http://bitcoin.sipa.be/ctaes/review.zip

170
cipher/ctaes/bench.c Normal file
View File

@ -0,0 +1,170 @@
#include <stdio.h>
#include <math.h>
#include "sys/time.h"
#include "ctaes.h"
static double gettimedouble(void) {
struct timeval tv;
gettimeofday(&tv, NULL);
return tv.tv_usec * 0.000001 + tv.tv_sec;
}
static void print_number(double x) {
double y = x;
int c = 0;
if (y < 0.0) {
y = -y;
}
while (y < 100.0) {
y *= 10.0;
c++;
}
printf("%.*f", c, x);
}
static void run_benchmark(char *name, void (*benchmark)(void*), void (*setup)(void*), void (*teardown)(void*), void* data, int count, int iter) {
int i;
double min = HUGE_VAL;
double sum = 0.0;
double max = 0.0;
for (i = 0; i < count; i++) {
double begin, total;
if (setup != NULL) {
setup(data);
}
begin = gettimedouble();
benchmark(data);
total = gettimedouble() - begin;
if (teardown != NULL) {
teardown(data);
}
if (total < min) {
min = total;
}
if (total > max) {
max = total;
}
sum += total;
}
printf("%s: min ", name);
print_number(min * 1000000000.0 / iter);
printf("ns / avg ");
print_number((sum / count) * 1000000000.0 / iter);
printf("ns / max ");
print_number(max * 1000000000.0 / iter);
printf("ns\n");
}
static void bench_AES128_init(void* data) {
AES128_ctx* ctx = (AES128_ctx*)data;
int i;
for (i = 0; i < 50000; i++) {
AES128_init(ctx, (unsigned char*)ctx);
}
}
static void bench_AES128_encrypt_setup(void* data) {
AES128_ctx* ctx = (AES128_ctx*)data;
static const unsigned char key[16] = {0};
AES128_init(ctx, key);
}
static void bench_AES128_encrypt(void* data) {
const AES128_ctx* ctx = (const AES128_ctx*)data;
unsigned char scratch[16] = {0};
int i;
for (i = 0; i < 4000000 / 16; i++) {
AES128_encrypt(ctx, 1, scratch, scratch);
}
}
static void bench_AES128_decrypt(void* data) {
const AES128_ctx* ctx = (const AES128_ctx*)data;
unsigned char scratch[16] = {0};
int i;
for (i = 0; i < 4000000 / 16; i++) {
AES128_decrypt(ctx, 1, scratch, scratch);
}
}
static void bench_AES192_init(void* data) {
AES192_ctx* ctx = (AES192_ctx*)data;
int i;
for (i = 0; i < 50000; i++) {
AES192_init(ctx, (unsigned char*)ctx);
}
}
static void bench_AES192_encrypt_setup(void* data) {
AES192_ctx* ctx = (AES192_ctx*)data;
static const unsigned char key[16] = {0};
AES192_init(ctx, key);
}
static void bench_AES192_encrypt(void* data) {
const AES192_ctx* ctx = (const AES192_ctx*)data;
unsigned char scratch[16] = {0};
int i;
for (i = 0; i < 4000000 / 16; i++) {
AES192_encrypt(ctx, 1, scratch, scratch);
}
}
static void bench_AES192_decrypt(void* data) {
const AES192_ctx* ctx = (const AES192_ctx*)data;
unsigned char scratch[16] = {0};
int i;
for (i = 0; i < 4000000 / 16; i++) {
AES192_decrypt(ctx, 1, scratch, scratch);
}
}
static void bench_AES256_init(void* data) {
AES256_ctx* ctx = (AES256_ctx*)data;
int i;
for (i = 0; i < 50000; i++) {
AES256_init(ctx, (unsigned char*)ctx);
}
}
static void bench_AES256_encrypt_setup(void* data) {
AES256_ctx* ctx = (AES256_ctx*)data;
static const unsigned char key[16] = {0};
AES256_init(ctx, key);
}
static void bench_AES256_encrypt(void* data) {
const AES256_ctx* ctx = (const AES256_ctx*)data;
unsigned char scratch[16] = {0};
int i;
for (i = 0; i < 4000000 / 16; i++) {
AES256_encrypt(ctx, 1, scratch, scratch);
}
}
static void bench_AES256_decrypt(void* data) {
const AES256_ctx* ctx = (const AES256_ctx*)data;
unsigned char scratch[16] = {0};
int i;
for (i = 0; i < 4000000 / 16; i++) {
AES256_decrypt(ctx, 1, scratch, scratch);
}
}
int main(void) {
AES128_ctx ctx128;
AES192_ctx ctx192;
AES256_ctx ctx256;
run_benchmark("aes128_init", bench_AES128_init, NULL, NULL, &ctx128, 20, 50000);
run_benchmark("aes128_encrypt_byte", bench_AES128_encrypt, bench_AES128_encrypt_setup, NULL, &ctx128, 20, 4000000);
run_benchmark("aes128_decrypt_byte", bench_AES128_decrypt, bench_AES128_encrypt_setup, NULL, &ctx128, 20, 4000000);
run_benchmark("aes192_init", bench_AES192_init, NULL, NULL, &ctx192, 20, 50000);
run_benchmark("aes192_encrypt_byte", bench_AES192_encrypt, bench_AES192_encrypt_setup, NULL, &ctx192, 20, 4000000);
run_benchmark("aes192_decrypt_byte", bench_AES192_decrypt, bench_AES192_encrypt_setup, NULL, &ctx192, 20, 4000000);
run_benchmark("aes256_init", bench_AES256_init, NULL, NULL, &ctx256, 20, 50000);
run_benchmark("aes256_encrypt_byte", bench_AES256_encrypt, bench_AES256_encrypt_setup, NULL, &ctx256, 20, 4000000);
run_benchmark("aes256_decrypt_byte", bench_AES256_decrypt, bench_AES256_encrypt_setup, NULL, &ctx256, 20, 4000000);
return 0;
}

556
cipher/ctaes/ctaes.c Normal file
View File

@ -0,0 +1,556 @@
/*********************************************************************
* Copyright (c) 2016 Pieter Wuille *
* Distributed under the MIT software license, see the accompanying *
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
**********************************************************************/
/* Constant time, unoptimized, concise, plain C, AES implementation
* Based On:
* Emilia Kasper and Peter Schwabe, Faster and Timing-Attack Resistant AES-GCM
* http://www.iacr.org/archive/ches2009/57470001/57470001.pdf
* But using 8 16-bit integers representing a single AES state rather than 8 128-bit
* integers representing 8 AES states.
*/
#include "ctaes.h"
/* Slice variable slice_i contains the i'th bit of the 16 state variables in this order:
* 0 1 2 3
* 4 5 6 7
* 8 9 10 11
* 12 13 14 15
*/
/** Convert a byte to sliced form, storing it corresponding to given row and column in s */
static void LoadByte(AES_state* s, unsigned char byte, int r, int c) {
int i;
for (i = 0; i < 8; i++) {
s->slice[i] |= (byte & 1) << (r * 4 + c);
byte >>= 1;
}
}
/** Load 16 bytes of data into 8 sliced integers */
static void LoadBytes(AES_state *s, const unsigned char* data16) {
int c;
for (c = 0; c < 4; c++) {
int r;
for (r = 0; r < 4; r++) {
LoadByte(s, *(data16++), r, c);
}
}
}
/** Convert 8 sliced integers into 16 bytes of data */
static void SaveBytes(unsigned char* data16, const AES_state *s) {
int c;
for (c = 0; c < 4; c++) {
int r;
for (r = 0; r < 4; r++) {
int b;
uint8_t v = 0;
for (b = 0; b < 8; b++) {
v |= ((s->slice[b] >> (r * 4 + c)) & 1) << b;
}
*(data16++) = v;
}
}
}
/* S-box implementation based on the gate logic from:
* Joan Boyar and Rene Peralta, A depth-16 circuit for the AES S-box.
* https://eprint.iacr.org/2011/332.pdf
*/
static void SubBytes(AES_state *s, int inv) {
/* Load the bit slices */
uint16_t U0 = s->slice[7], U1 = s->slice[6], U2 = s->slice[5], U3 = s->slice[4];
uint16_t U4 = s->slice[3], U5 = s->slice[2], U6 = s->slice[1], U7 = s->slice[0];
uint16_t T1, T2, T3, T4, T5, T6, T7, T8, T9, T10, T11, T12, T13, T14, T15, T16;
uint16_t T17, T18, T19, T20, T21, T22, T23, T24, T25, T26, T27, D;
uint16_t M1, M6, M11, M13, M15, M20, M21, M22, M23, M25, M37, M38, M39, M40;
uint16_t M41, M42, M43, M44, M45, M46, M47, M48, M49, M50, M51, M52, M53, M54;
uint16_t M55, M56, M57, M58, M59, M60, M61, M62, M63;
if (inv) {
uint16_t R5, R13, R17, R18, R19;
/* Undo linear postprocessing */
T23 = U0 ^ U3;
T22 = ~(U1 ^ U3);
T2 = ~(U0 ^ U1);
T1 = U3 ^ U4;
T24 = ~(U4 ^ U7);
R5 = U6 ^ U7;
T8 = ~(U1 ^ T23);
T19 = T22 ^ R5;
T9 = ~(U7 ^ T1);
T10 = T2 ^ T24;
T13 = T2 ^ R5;
T3 = T1 ^ R5;
T25 = ~(U2 ^ T1);
R13 = U1 ^ U6;
T17 = ~(U2 ^ T19);
T20 = T24 ^ R13;
T4 = U4 ^ T8;
R17 = ~(U2 ^ U5);
R18 = ~(U5 ^ U6);
R19 = ~(U2 ^ U4);
D = U0 ^ R17;
T6 = T22 ^ R17;
T16 = R13 ^ R19;
T27 = T1 ^ R18;
T15 = T10 ^ T27;
T14 = T10 ^ R18;
T26 = T3 ^ T16;
} else {
/* Linear preprocessing. */
T1 = U0 ^ U3;
T2 = U0 ^ U5;
T3 = U0 ^ U6;
T4 = U3 ^ U5;
T5 = U4 ^ U6;
T6 = T1 ^ T5;
T7 = U1 ^ U2;
T8 = U7 ^ T6;
T9 = U7 ^ T7;
T10 = T6 ^ T7;
T11 = U1 ^ U5;
T12 = U2 ^ U5;
T13 = T3 ^ T4;
T14 = T6 ^ T11;
T15 = T5 ^ T11;
T16 = T5 ^ T12;
T17 = T9 ^ T16;
T18 = U3 ^ U7;
T19 = T7 ^ T18;
T20 = T1 ^ T19;
T21 = U6 ^ U7;
T22 = T7 ^ T21;
T23 = T2 ^ T22;
T24 = T2 ^ T10;
T25 = T20 ^ T17;
T26 = T3 ^ T16;
T27 = T1 ^ T12;
D = U7;
}
/* Non-linear transformation (shared between the forward and backward case) */
M1 = T13 & T6;
M6 = T3 & T16;
M11 = T1 & T15;
M13 = (T4 & T27) ^ M11;
M15 = (T2 & T10) ^ M11;
M20 = T14 ^ M1 ^ (T23 & T8) ^ M13;
M21 = (T19 & D) ^ M1 ^ T24 ^ M15;
M22 = T26 ^ M6 ^ (T22 & T9) ^ M13;
M23 = (T20 & T17) ^ M6 ^ M15 ^ T25;
M25 = M22 & M20;
M37 = M21 ^ ((M20 ^ M21) & (M23 ^ M25));
M38 = M20 ^ M25 ^ (M21 | (M20 & M23));
M39 = M23 ^ ((M22 ^ M23) & (M21 ^ M25));
M40 = M22 ^ M25 ^ (M23 | (M21 & M22));
M41 = M38 ^ M40;
M42 = M37 ^ M39;
M43 = M37 ^ M38;
M44 = M39 ^ M40;
M45 = M42 ^ M41;
M46 = M44 & T6;
M47 = M40 & T8;
M48 = M39 & D;
M49 = M43 & T16;
M50 = M38 & T9;
M51 = M37 & T17;
M52 = M42 & T15;
M53 = M45 & T27;
M54 = M41 & T10;
M55 = M44 & T13;
M56 = M40 & T23;
M57 = M39 & T19;
M58 = M43 & T3;
M59 = M38 & T22;
M60 = M37 & T20;
M61 = M42 & T1;
M62 = M45 & T4;
M63 = M41 & T2;
if (inv){
/* Undo linear preprocessing */
uint16_t P0 = M52 ^ M61;
uint16_t P1 = M58 ^ M59;
uint16_t P2 = M54 ^ M62;
uint16_t P3 = M47 ^ M50;
uint16_t P4 = M48 ^ M56;
uint16_t P5 = M46 ^ M51;
uint16_t P6 = M49 ^ M60;
uint16_t P7 = P0 ^ P1;
uint16_t P8 = M50 ^ M53;
uint16_t P9 = M55 ^ M63;
uint16_t P10 = M57 ^ P4;
uint16_t P11 = P0 ^ P3;
uint16_t P12 = M46 ^ M48;
uint16_t P13 = M49 ^ M51;
uint16_t P14 = M49 ^ M62;
uint16_t P15 = M54 ^ M59;
uint16_t P16 = M57 ^ M61;
uint16_t P17 = M58 ^ P2;
uint16_t P18 = M63 ^ P5;
uint16_t P19 = P2 ^ P3;
uint16_t P20 = P4 ^ P6;
uint16_t P22 = P2 ^ P7;
uint16_t P23 = P7 ^ P8;
uint16_t P24 = P5 ^ P7;
uint16_t P25 = P6 ^ P10;
uint16_t P26 = P9 ^ P11;
uint16_t P27 = P10 ^ P18;
uint16_t P28 = P11 ^ P25;
uint16_t P29 = P15 ^ P20;
s->slice[7] = P13 ^ P22;
s->slice[6] = P26 ^ P29;
s->slice[5] = P17 ^ P28;
s->slice[4] = P12 ^ P22;
s->slice[3] = P23 ^ P27;
s->slice[2] = P19 ^ P24;
s->slice[1] = P14 ^ P23;
s->slice[0] = P9 ^ P16;
} else {
/* Linear postprocessing */
uint16_t L0 = M61 ^ M62;
uint16_t L1 = M50 ^ M56;
uint16_t L2 = M46 ^ M48;
uint16_t L3 = M47 ^ M55;
uint16_t L4 = M54 ^ M58;
uint16_t L5 = M49 ^ M61;
uint16_t L6 = M62 ^ L5;
uint16_t L7 = M46 ^ L3;
uint16_t L8 = M51 ^ M59;
uint16_t L9 = M52 ^ M53;
uint16_t L10 = M53 ^ L4;
uint16_t L11 = M60 ^ L2;
uint16_t L12 = M48 ^ M51;
uint16_t L13 = M50 ^ L0;
uint16_t L14 = M52 ^ M61;
uint16_t L15 = M55 ^ L1;
uint16_t L16 = M56 ^ L0;
uint16_t L17 = M57 ^ L1;
uint16_t L18 = M58 ^ L8;
uint16_t L19 = M63 ^ L4;
uint16_t L20 = L0 ^ L1;
uint16_t L21 = L1 ^ L7;
uint16_t L22 = L3 ^ L12;
uint16_t L23 = L18 ^ L2;
uint16_t L24 = L15 ^ L9;
uint16_t L25 = L6 ^ L10;
uint16_t L26 = L7 ^ L9;
uint16_t L27 = L8 ^ L10;
uint16_t L28 = L11 ^ L14;
uint16_t L29 = L11 ^ L17;
s->slice[7] = L6 ^ L24;
s->slice[6] = ~(L16 ^ L26);
s->slice[5] = ~(L19 ^ L28);
s->slice[4] = L6 ^ L21;
s->slice[3] = L20 ^ L22;
s->slice[2] = L25 ^ L29;
s->slice[1] = ~(L13 ^ L27);
s->slice[0] = ~(L6 ^ L23);
}
}
#define BIT_RANGE(from,to) (((1 << ((to) - (from))) - 1) << (from))
#define BIT_RANGE_LEFT(x,from,to,shift) (((x) & BIT_RANGE((from), (to))) << (shift))
#define BIT_RANGE_RIGHT(x,from,to,shift) (((x) & BIT_RANGE((from), (to))) >> (shift))
static void ShiftRows(AES_state* s) {
int i;
for (i = 0; i < 8; i++) {
uint16_t v = s->slice[i];
s->slice[i] =
(v & BIT_RANGE(0, 4)) |
BIT_RANGE_LEFT(v, 4, 5, 3) | BIT_RANGE_RIGHT(v, 5, 8, 1) |
BIT_RANGE_LEFT(v, 8, 10, 2) | BIT_RANGE_RIGHT(v, 10, 12, 2) |
BIT_RANGE_LEFT(v, 12, 15, 1) | BIT_RANGE_RIGHT(v, 15, 16, 3);
}
}
static void InvShiftRows(AES_state* s) {
int i;
for (i = 0; i < 8; i++) {
uint16_t v = s->slice[i];
s->slice[i] =
(v & BIT_RANGE(0, 4)) |
BIT_RANGE_LEFT(v, 4, 7, 1) | BIT_RANGE_RIGHT(v, 7, 8, 3) |
BIT_RANGE_LEFT(v, 8, 10, 2) | BIT_RANGE_RIGHT(v, 10, 12, 2) |
BIT_RANGE_LEFT(v, 12, 13, 3) | BIT_RANGE_RIGHT(v, 13, 16, 1);
}
}
#define ROT(x,b) (((x) >> ((b) * 4)) | ((x) << ((4-(b)) * 4)))
static void MixColumns(AES_state* s, int inv) {
/* The MixColumns transform treats the bytes of the columns of the state as
* coefficients of a 3rd degree polynomial over GF(2^8) and multiplies them
* by the fixed polynomial a(x) = {03}x^3 + {01}x^2 + {01}x + {02}, modulo
* x^4 + {01}.
*
* In the inverse transform, we multiply by the inverse of a(x),
* a^-1(x) = {0b}x^3 + {0d}x^2 + {09}x + {0e}. This is equal to
* a(x) * ({04}x^2 + {05}), so we can reuse the forward transform's code
* (found in OpenSSL's bsaes-x86_64.pl, attributed to Jussi Kivilinna)
*
* In the bitsliced representation, a multiplication of every column by x
* mod x^4 + 1 is simply a right rotation.
*/
/* Shared for both directions is a multiplication by a(x), which can be
* rewritten as (x^3 + x^2 + x) + {02}*(x^3 + {01}).
*
* First compute s into the s? variables, (x^3 + {01}) * s into the s?_01
* variables and (x^3 + x^2 + x)*s into the s?_123 variables.
*/
uint16_t s0 = s->slice[0], s1 = s->slice[1], s2 = s->slice[2], s3 = s->slice[3];
uint16_t s4 = s->slice[4], s5 = s->slice[5], s6 = s->slice[6], s7 = s->slice[7];
uint16_t s0_01 = s0 ^ ROT(s0, 1), s0_123 = ROT(s0_01, 1) ^ ROT(s0, 3);
uint16_t s1_01 = s1 ^ ROT(s1, 1), s1_123 = ROT(s1_01, 1) ^ ROT(s1, 3);
uint16_t s2_01 = s2 ^ ROT(s2, 1), s2_123 = ROT(s2_01, 1) ^ ROT(s2, 3);
uint16_t s3_01 = s3 ^ ROT(s3, 1), s3_123 = ROT(s3_01, 1) ^ ROT(s3, 3);
uint16_t s4_01 = s4 ^ ROT(s4, 1), s4_123 = ROT(s4_01, 1) ^ ROT(s4, 3);
uint16_t s5_01 = s5 ^ ROT(s5, 1), s5_123 = ROT(s5_01, 1) ^ ROT(s5, 3);
uint16_t s6_01 = s6 ^ ROT(s6, 1), s6_123 = ROT(s6_01, 1) ^ ROT(s6, 3);
uint16_t s7_01 = s7 ^ ROT(s7, 1), s7_123 = ROT(s7_01, 1) ^ ROT(s7, 3);
/* Now compute s = s?_123 + {02} * s?_01. */
s->slice[0] = s7_01 ^ s0_123;
s->slice[1] = s7_01 ^ s0_01 ^ s1_123;
s->slice[2] = s1_01 ^ s2_123;
s->slice[3] = s7_01 ^ s2_01 ^ s3_123;
s->slice[4] = s7_01 ^ s3_01 ^ s4_123;
s->slice[5] = s4_01 ^ s5_123;
s->slice[6] = s5_01 ^ s6_123;
s->slice[7] = s6_01 ^ s7_123;
if (inv) {
/* In the reverse direction, we further need to multiply by
* {04}x^2 + {05}, which can be written as {04} * (x^2 + {01}) + {01}.
*
* First compute (x^2 + {01}) * s into the t?_02 variables: */
uint16_t t0_02 = s->slice[0] ^ ROT(s->slice[0], 2);
uint16_t t1_02 = s->slice[1] ^ ROT(s->slice[1], 2);
uint16_t t2_02 = s->slice[2] ^ ROT(s->slice[2], 2);
uint16_t t3_02 = s->slice[3] ^ ROT(s->slice[3], 2);
uint16_t t4_02 = s->slice[4] ^ ROT(s->slice[4], 2);
uint16_t t5_02 = s->slice[5] ^ ROT(s->slice[5], 2);
uint16_t t6_02 = s->slice[6] ^ ROT(s->slice[6], 2);
uint16_t t7_02 = s->slice[7] ^ ROT(s->slice[7], 2);
/* And then update s += {04} * t?_02 */
s->slice[0] ^= t6_02;
s->slice[1] ^= t6_02 ^ t7_02;
s->slice[2] ^= t0_02 ^ t7_02;
s->slice[3] ^= t1_02 ^ t6_02;
s->slice[4] ^= t2_02 ^ t6_02 ^ t7_02;
s->slice[5] ^= t3_02 ^ t7_02;
s->slice[6] ^= t4_02;
s->slice[7] ^= t5_02;
}
}
static void AddRoundKey(AES_state* s, const AES_state* round) {
int b;
for (b = 0; b < 8; b++) {
s->slice[b] ^= round->slice[b];
}
}
/** column_0(s) = column_c(a) */
static void GetOneColumn(AES_state* s, const AES_state* a, int c) {
int b;
for (b = 0; b < 8; b++) {
s->slice[b] = (a->slice[b] >> c) & 0x1111;
}
}
/** column_c1(r) |= (column_0(s) ^= column_c2(a)) */
static void KeySetupColumnMix(AES_state* s, AES_state* r, const AES_state* a, int c1, int c2) {
int b;
for (b = 0; b < 8; b++) {
r->slice[b] |= ((s->slice[b] ^= ((a->slice[b] >> c2) & 0x1111)) & 0x1111) << c1;
}
}
/** Rotate the rows in s one position upwards, and xor in r */
static void KeySetupTransform(AES_state* s, const AES_state* r) {
int b;
for (b = 0; b < 8; b++) {
s->slice[b] = ((s->slice[b] >> 4) | (s->slice[b] << 12)) ^ r->slice[b];
}
}
/* Multiply the cells in s by x, as polynomials over GF(2) mod x^8 + x^4 + x^3 + x + 1 */
static void MultX(AES_state* s) {
uint16_t top = s->slice[7];
s->slice[7] = s->slice[6];
s->slice[6] = s->slice[5];
s->slice[5] = s->slice[4];
s->slice[4] = s->slice[3] ^ top;
s->slice[3] = s->slice[2] ^ top;
s->slice[2] = s->slice[1];
s->slice[1] = s->slice[0] ^ top;
s->slice[0] = top;
}
/** Expand the cipher key into the key schedule.
*
* state must be a pointer to an array of size nrounds + 1.
* key must be a pointer to 4 * nkeywords bytes.
*
* AES128 uses nkeywords = 4, nrounds = 10
* AES192 uses nkeywords = 6, nrounds = 12
* AES256 uses nkeywords = 8, nrounds = 14
*/
static void AES_setup(AES_state* rounds, const uint8_t* key, int nkeywords, int nrounds)
{
int i;
/* The one-byte round constant */
AES_state rcon = {{1,0,0,0,0,0,0,0}};
/* The number of the word being generated, modulo nkeywords */
int pos = 0;
/* The column representing the word currently being processed */
AES_state column;
for (i = 0; i < nrounds + 1; i++) {
int b;
for (b = 0; b < 8; b++) {
rounds[i].slice[b] = 0;
}
}
/* The first nkeywords round columns are just taken from the key directly. */
for (i = 0; i < nkeywords; i++) {
int r;
for (r = 0; r < 4; r++) {
LoadByte(&rounds[i >> 2], *(key++), r, i & 3);
}
}
GetOneColumn(&column, &rounds[(nkeywords - 1) >> 2], (nkeywords - 1) & 3);
for (i = nkeywords; i < 4 * (nrounds + 1); i++) {
/* Transform column */
if (pos == 0) {
SubBytes(&column, 0);
KeySetupTransform(&column, &rcon);
MultX(&rcon);
} else if (nkeywords > 6 && pos == 4) {
SubBytes(&column, 0);
}
if (++pos == nkeywords) pos = 0;
KeySetupColumnMix(&column, &rounds[i >> 2], &rounds[(i - nkeywords) >> 2], i & 3, (i - nkeywords) & 3);
}
}
static void AES_encrypt(const AES_state* rounds, int nrounds, unsigned char* cipher16, const unsigned char* plain16) {
AES_state s = {{0}};
int round;
LoadBytes(&s, plain16);
AddRoundKey(&s, rounds++);
for (round = 1; round < nrounds; round++) {
SubBytes(&s, 0);
ShiftRows(&s);
MixColumns(&s, 0);
AddRoundKey(&s, rounds++);
}
SubBytes(&s, 0);
ShiftRows(&s);
AddRoundKey(&s, rounds);
SaveBytes(cipher16, &s);
}
static void AES_decrypt(const AES_state* rounds, int nrounds, unsigned char* plain16, const unsigned char* cipher16) {
/* Most AES decryption implementations use the alternate scheme
* (the Equivalent Inverse Cipher), which allows for more code reuse between
* the encryption and decryption code, but requires separate setup for both.
*/
AES_state s = {{0}};
int round;
rounds += nrounds;
LoadBytes(&s, cipher16);
AddRoundKey(&s, rounds--);
for (round = 1; round < nrounds; round++) {
InvShiftRows(&s);
SubBytes(&s, 1);
AddRoundKey(&s, rounds--);
MixColumns(&s, 1);
}
InvShiftRows(&s);
SubBytes(&s, 1);
AddRoundKey(&s, rounds);
SaveBytes(plain16, &s);
}
void AES128_init(AES128_ctx* ctx, const unsigned char* key16) {
AES_setup(ctx->rk, key16, 4, 10);
}
void AES128_encrypt(const AES128_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16) {
while (blocks--) {
AES_encrypt(ctx->rk, 10, cipher16, plain16);
cipher16 += 16;
plain16 += 16;
}
}
void AES128_decrypt(const AES128_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16) {
while (blocks--) {
AES_decrypt(ctx->rk, 10, plain16, cipher16);
cipher16 += 16;
plain16 += 16;
}
}
void AES192_init(AES192_ctx* ctx, const unsigned char* key24) {
AES_setup(ctx->rk, key24, 6, 12);
}
void AES192_encrypt(const AES192_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16) {
while (blocks--) {
AES_encrypt(ctx->rk, 12, cipher16, plain16);
cipher16 += 16;
plain16 += 16;
}
}
void AES192_decrypt(const AES192_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16) {
while (blocks--) {
AES_decrypt(ctx->rk, 12, plain16, cipher16);
cipher16 += 16;
plain16 += 16;
}
}
void AES256_init(AES256_ctx* ctx, const unsigned char* key32) {
AES_setup(ctx->rk, key32, 8, 14);
}
void AES256_encrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16) {
while (blocks--) {
AES_encrypt(ctx->rk, 14, cipher16, plain16);
cipher16 += 16;
plain16 += 16;
}
}
void AES256_decrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16) {
while (blocks--) {
AES_decrypt(ctx->rk, 14, plain16, cipher16);
cipher16 += 16;
plain16 += 16;
}
}

41
cipher/ctaes/ctaes.h Normal file
View File

@ -0,0 +1,41 @@
/*********************************************************************
* Copyright (c) 2016 Pieter Wuille *
* Distributed under the MIT software license, see the accompanying *
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
**********************************************************************/
#ifndef _CTAES_H_
#define _CTAES_H_ 1
#include <stdint.h>
#include <stdlib.h>
typedef struct {
uint16_t slice[8];
} AES_state;
typedef struct {
AES_state rk[11];
} AES128_ctx;
typedef struct {
AES_state rk[13];
} AES192_ctx;
typedef struct {
AES_state rk[15];
} AES256_ctx;
void AES128_init(AES128_ctx* ctx, const unsigned char* key16);
void AES128_encrypt(const AES128_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16);
void AES128_decrypt(const AES128_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16);
void AES192_init(AES192_ctx* ctx, const unsigned char* key24);
void AES192_encrypt(const AES192_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16);
void AES192_decrypt(const AES192_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16);
void AES256_init(AES256_ctx* ctx, const unsigned char* key32);
void AES256_encrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* cipher16, const unsigned char* plain16);
void AES256_decrypt(const AES256_ctx* ctx, size_t blocks, unsigned char* plain16, const unsigned char* cipher16);
#endif

110
cipher/ctaes/test.c Normal file
View File

@ -0,0 +1,110 @@
/*********************************************************************
* Copyright (c) 2016 Pieter Wuille *
* Distributed under the MIT software license, see the accompanying *
* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
**********************************************************************/
#include "ctaes.h"
#include <stdio.h>
#include <string.h>
#include <assert.h>
typedef struct {
int keysize;
const char* key;
const char* plain;
const char* cipher;
} ctaes_test;
static const ctaes_test ctaes_tests[] = {
/* AES test vectors from FIPS 197. */
{128, "000102030405060708090a0b0c0d0e0f", "00112233445566778899aabbccddeeff", "69c4e0d86a7b0430d8cdb78070b4c55a"},
{192, "000102030405060708090a0b0c0d0e0f1011121314151617", "00112233445566778899aabbccddeeff", "dda97ca4864cdfe06eaf70a0ec0d7191"},
{256, "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", "00112233445566778899aabbccddeeff", "8ea2b7ca516745bfeafc49904b496089"},
/* AES-ECB test vectors from NIST sp800-38a. */
{128, "2b7e151628aed2a6abf7158809cf4f3c", "6bc1bee22e409f96e93d7e117393172a", "3ad77bb40d7a3660a89ecaf32466ef97"},
{128, "2b7e151628aed2a6abf7158809cf4f3c", "ae2d8a571e03ac9c9eb76fac45af8e51", "f5d3d58503b9699de785895a96fdbaaf"},
{128, "2b7e151628aed2a6abf7158809cf4f3c", "30c81c46a35ce411e5fbc1191a0a52ef", "43b1cd7f598ece23881b00e3ed030688"},
{128, "2b7e151628aed2a6abf7158809cf4f3c", "f69f2445df4f9b17ad2b417be66c3710", "7b0c785e27e8ad3f8223207104725dd4"},
{192, "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "6bc1bee22e409f96e93d7e117393172a", "bd334f1d6e45f25ff712a214571fa5cc"},
{192, "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "ae2d8a571e03ac9c9eb76fac45af8e51", "974104846d0ad3ad7734ecb3ecee4eef"},
{192, "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "30c81c46a35ce411e5fbc1191a0a52ef", "ef7afd2270e2e60adce0ba2face6444e"},
{192, "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b", "f69f2445df4f9b17ad2b417be66c3710", "9a4b41ba738d6c72fb16691603c18e0e"},
{256, "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", "6bc1bee22e409f96e93d7e117393172a", "f3eed1bdb5d2a03c064b5a7e3db181f8"},
{256, "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", "ae2d8a571e03ac9c9eb76fac45af8e51", "591ccb10d410ed26dc5ba74a31362870"},
{256, "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", "30c81c46a35ce411e5fbc1191a0a52ef", "b6ed21b99ca6f4f9f153e7b1beafed1d"},
{256, "603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4", "f69f2445df4f9b17ad2b417be66c3710", "23304b7a39f9f3ff067d8d8f9e24ecc7"}
};
static void from_hex(unsigned char* data, int len, const char* hex) {
int p;
for (p = 0; p < len; p++) {
int v = 0;
int n;
for (n = 0; n < 2; n++) {
assert((*hex >= '0' && *hex <= '9') || (*hex >= 'a' && *hex <= 'f'));
if (*hex >= '0' && *hex <= '9') {
v |= (*hex - '0') << (4 * (1 - n));
} else {
v |= (*hex - 'a' + 10) << (4 * (1 - n));
}
hex++;
}
*(data++) = v;
}
assert(*hex == 0);
}
int main(void) {
int i;
int fail = 0;
for (i = 0; i < sizeof(ctaes_tests) / sizeof(ctaes_tests[0]); i++) {
unsigned char key[32], plain[16], cipher[16], ciphered[16], deciphered[16];
const ctaes_test* test = &ctaes_tests[i];
assert(test->keysize == 128 || test->keysize == 192 || test->keysize == 256);
from_hex(plain, 16, test->plain);
from_hex(cipher, 16, test->cipher);
switch (test->keysize) {
case 128: {
AES128_ctx ctx;
from_hex(key, 16, test->key);
AES128_init(&ctx, key);
AES128_encrypt(&ctx, 1, ciphered, plain);
AES128_decrypt(&ctx, 1, deciphered, cipher);
break;
}
case 192: {
AES192_ctx ctx;
from_hex(key, 24, test->key);
AES192_init(&ctx, key);
AES192_encrypt(&ctx, 1, ciphered, plain);
AES192_decrypt(&ctx, 1, deciphered, cipher);
break;
}
case 256: {
AES256_ctx ctx;
from_hex(key, 32, test->key);
AES256_init(&ctx, key);
AES256_encrypt(&ctx, 1, ciphered, plain);
AES256_decrypt(&ctx, 1, deciphered, cipher);
break;
}
}
if (memcmp(cipher, ciphered, 16)) {
fprintf(stderr, "E(key=\"%s\", plain=\"%s\") != \"%s\"\n", test->key, test->plain, test->cipher);
fail++;
}
if (memcmp(plain, deciphered, 16)) {
fprintf(stderr, "D(key=\"%s\", cipher=\"%s\") != \"%s\"\n", test->key, test->cipher, test->plain);
fail++;
}
}
if (fail == 0) {
fprintf(stderr, "All tests successful\n");
} else {
fprintf(stderr, "%i tests failed\n", fail);
}
return (fail != 0);
}

291
cipher/ripemd160.cpp Normal file
View File

@ -0,0 +1,291 @@
// Copyright (c) 2014-2017 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include "ripemd160.h"
#include "common.h"
#include <string.h>
// Internal implementation code.
namespace
{
/// Internal RIPEMD-160 implementation.
namespace ripemd160
{
uint32_t inline f1(uint32_t x, uint32_t y, uint32_t z) { return x ^ y ^ z; }
uint32_t inline f2(uint32_t x, uint32_t y, uint32_t z) { return (x & y) | (~x & z); }
uint32_t inline f3(uint32_t x, uint32_t y, uint32_t z) { return (x | ~y) ^ z; }
uint32_t inline f4(uint32_t x, uint32_t y, uint32_t z) { return (x & z) | (y & ~z); }
uint32_t inline f5(uint32_t x, uint32_t y, uint32_t z) { return x ^ (y | ~z); }
/** Initialize RIPEMD-160 state. */
void inline Initialize(uint32_t* s)
{
s[0] = 0x67452301ul;
s[1] = 0xEFCDAB89ul;
s[2] = 0x98BADCFEul;
s[3] = 0x10325476ul;
s[4] = 0xC3D2E1F0ul;
}
uint32_t inline rol(uint32_t x, int i) { return (x << i) | (x >> (32 - i)); }
void inline Round(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t f, uint32_t x, uint32_t k, int r)
{
a = rol(a + f + x + k, r) + e;
c = rol(c, 10);
}
void inline R11(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f1(b, c, d), x, 0, r); }
void inline R21(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f2(b, c, d), x, 0x5A827999ul, r); }
void inline R31(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f3(b, c, d), x, 0x6ED9EBA1ul, r); }
void inline R41(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f4(b, c, d), x, 0x8F1BBCDCul, r); }
void inline R51(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f5(b, c, d), x, 0xA953FD4Eul, r); }
void inline R12(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f5(b, c, d), x, 0x50A28BE6ul, r); }
void inline R22(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f4(b, c, d), x, 0x5C4DD124ul, r); }
void inline R32(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f3(b, c, d), x, 0x6D703EF3ul, r); }
void inline R42(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f2(b, c, d), x, 0x7A6D76E9ul, r); }
void inline R52(uint32_t& a, uint32_t b, uint32_t& c, uint32_t d, uint32_t e, uint32_t x, int r) { Round(a, b, c, d, e, f1(b, c, d), x, 0, r); }
/** Perform a RIPEMD-160 transformation, processing a 64-byte chunk. */
void Transform(uint32_t* s, const unsigned char* chunk)
{
uint32_t a1 = s[0], b1 = s[1], c1 = s[2], d1 = s[3], e1 = s[4];
uint32_t a2 = a1, b2 = b1, c2 = c1, d2 = d1, e2 = e1;
uint32_t w0 = ReadLE32(chunk + 0), w1 = ReadLE32(chunk + 4), w2 = ReadLE32(chunk + 8), w3 = ReadLE32(chunk + 12);
uint32_t w4 = ReadLE32(chunk + 16), w5 = ReadLE32(chunk + 20), w6 = ReadLE32(chunk + 24), w7 = ReadLE32(chunk + 28);
uint32_t w8 = ReadLE32(chunk + 32), w9 = ReadLE32(chunk + 36), w10 = ReadLE32(chunk + 40), w11 = ReadLE32(chunk + 44);
uint32_t w12 = ReadLE32(chunk + 48), w13 = ReadLE32(chunk + 52), w14 = ReadLE32(chunk + 56), w15 = ReadLE32(chunk + 60);
R11(a1, b1, c1, d1, e1, w0, 11);
R12(a2, b2, c2, d2, e2, w5, 8);
R11(e1, a1, b1, c1, d1, w1, 14);
R12(e2, a2, b2, c2, d2, w14, 9);
R11(d1, e1, a1, b1, c1, w2, 15);
R12(d2, e2, a2, b2, c2, w7, 9);
R11(c1, d1, e1, a1, b1, w3, 12);
R12(c2, d2, e2, a2, b2, w0, 11);
R11(b1, c1, d1, e1, a1, w4, 5);
R12(b2, c2, d2, e2, a2, w9, 13);
R11(a1, b1, c1, d1, e1, w5, 8);
R12(a2, b2, c2, d2, e2, w2, 15);
R11(e1, a1, b1, c1, d1, w6, 7);
R12(e2, a2, b2, c2, d2, w11, 15);
R11(d1, e1, a1, b1, c1, w7, 9);
R12(d2, e2, a2, b2, c2, w4, 5);
R11(c1, d1, e1, a1, b1, w8, 11);
R12(c2, d2, e2, a2, b2, w13, 7);
R11(b1, c1, d1, e1, a1, w9, 13);
R12(b2, c2, d2, e2, a2, w6, 7);
R11(a1, b1, c1, d1, e1, w10, 14);
R12(a2, b2, c2, d2, e2, w15, 8);
R11(e1, a1, b1, c1, d1, w11, 15);
R12(e2, a2, b2, c2, d2, w8, 11);
R11(d1, e1, a1, b1, c1, w12, 6);
R12(d2, e2, a2, b2, c2, w1, 14);
R11(c1, d1, e1, a1, b1, w13, 7);
R12(c2, d2, e2, a2, b2, w10, 14);
R11(b1, c1, d1, e1, a1, w14, 9);
R12(b2, c2, d2, e2, a2, w3, 12);
R11(a1, b1, c1, d1, e1, w15, 8);
R12(a2, b2, c2, d2, e2, w12, 6);
R21(e1, a1, b1, c1, d1, w7, 7);
R22(e2, a2, b2, c2, d2, w6, 9);
R21(d1, e1, a1, b1, c1, w4, 6);
R22(d2, e2, a2, b2, c2, w11, 13);
R21(c1, d1, e1, a1, b1, w13, 8);
R22(c2, d2, e2, a2, b2, w3, 15);
R21(b1, c1, d1, e1, a1, w1, 13);
R22(b2, c2, d2, e2, a2, w7, 7);
R21(a1, b1, c1, d1, e1, w10, 11);
R22(a2, b2, c2, d2, e2, w0, 12);
R21(e1, a1, b1, c1, d1, w6, 9);
R22(e2, a2, b2, c2, d2, w13, 8);
R21(d1, e1, a1, b1, c1, w15, 7);
R22(d2, e2, a2, b2, c2, w5, 9);
R21(c1, d1, e1, a1, b1, w3, 15);
R22(c2, d2, e2, a2, b2, w10, 11);
R21(b1, c1, d1, e1, a1, w12, 7);
R22(b2, c2, d2, e2, a2, w14, 7);
R21(a1, b1, c1, d1, e1, w0, 12);
R22(a2, b2, c2, d2, e2, w15, 7);
R21(e1, a1, b1, c1, d1, w9, 15);
R22(e2, a2, b2, c2, d2, w8, 12);
R21(d1, e1, a1, b1, c1, w5, 9);
R22(d2, e2, a2, b2, c2, w12, 7);
R21(c1, d1, e1, a1, b1, w2, 11);
R22(c2, d2, e2, a2, b2, w4, 6);
R21(b1, c1, d1, e1, a1, w14, 7);
R22(b2, c2, d2, e2, a2, w9, 15);
R21(a1, b1, c1, d1, e1, w11, 13);
R22(a2, b2, c2, d2, e2, w1, 13);
R21(e1, a1, b1, c1, d1, w8, 12);
R22(e2, a2, b2, c2, d2, w2, 11);
R31(d1, e1, a1, b1, c1, w3, 11);
R32(d2, e2, a2, b2, c2, w15, 9);
R31(c1, d1, e1, a1, b1, w10, 13);
R32(c2, d2, e2, a2, b2, w5, 7);
R31(b1, c1, d1, e1, a1, w14, 6);
R32(b2, c2, d2, e2, a2, w1, 15);
R31(a1, b1, c1, d1, e1, w4, 7);
R32(a2, b2, c2, d2, e2, w3, 11);
R31(e1, a1, b1, c1, d1, w9, 14);
R32(e2, a2, b2, c2, d2, w7, 8);
R31(d1, e1, a1, b1, c1, w15, 9);
R32(d2, e2, a2, b2, c2, w14, 6);
R31(c1, d1, e1, a1, b1, w8, 13);
R32(c2, d2, e2, a2, b2, w6, 6);
R31(b1, c1, d1, e1, a1, w1, 15);
R32(b2, c2, d2, e2, a2, w9, 14);
R31(a1, b1, c1, d1, e1, w2, 14);
R32(a2, b2, c2, d2, e2, w11, 12);
R31(e1, a1, b1, c1, d1, w7, 8);
R32(e2, a2, b2, c2, d2, w8, 13);
R31(d1, e1, a1, b1, c1, w0, 13);
R32(d2, e2, a2, b2, c2, w12, 5);
R31(c1, d1, e1, a1, b1, w6, 6);
R32(c2, d2, e2, a2, b2, w2, 14);
R31(b1, c1, d1, e1, a1, w13, 5);
R32(b2, c2, d2, e2, a2, w10, 13);
R31(a1, b1, c1, d1, e1, w11, 12);
R32(a2, b2, c2, d2, e2, w0, 13);
R31(e1, a1, b1, c1, d1, w5, 7);
R32(e2, a2, b2, c2, d2, w4, 7);
R31(d1, e1, a1, b1, c1, w12, 5);
R32(d2, e2, a2, b2, c2, w13, 5);
R41(c1, d1, e1, a1, b1, w1, 11);
R42(c2, d2, e2, a2, b2, w8, 15);
R41(b1, c1, d1, e1, a1, w9, 12);
R42(b2, c2, d2, e2, a2, w6, 5);
R41(a1, b1, c1, d1, e1, w11, 14);
R42(a2, b2, c2, d2, e2, w4, 8);
R41(e1, a1, b1, c1, d1, w10, 15);
R42(e2, a2, b2, c2, d2, w1, 11);
R41(d1, e1, a1, b1, c1, w0, 14);
R42(d2, e2, a2, b2, c2, w3, 14);
R41(c1, d1, e1, a1, b1, w8, 15);
R42(c2, d2, e2, a2, b2, w11, 14);
R41(b1, c1, d1, e1, a1, w12, 9);
R42(b2, c2, d2, e2, a2, w15, 6);
R41(a1, b1, c1, d1, e1, w4, 8);
R42(a2, b2, c2, d2, e2, w0, 14);
R41(e1, a1, b1, c1, d1, w13, 9);
R42(e2, a2, b2, c2, d2, w5, 6);
R41(d1, e1, a1, b1, c1, w3, 14);
R42(d2, e2, a2, b2, c2, w12, 9);
R41(c1, d1, e1, a1, b1, w7, 5);
R42(c2, d2, e2, a2, b2, w2, 12);
R41(b1, c1, d1, e1, a1, w15, 6);
R42(b2, c2, d2, e2, a2, w13, 9);
R41(a1, b1, c1, d1, e1, w14, 8);
R42(a2, b2, c2, d2, e2, w9, 12);
R41(e1, a1, b1, c1, d1, w5, 6);
R42(e2, a2, b2, c2, d2, w7, 5);
R41(d1, e1, a1, b1, c1, w6, 5);
R42(d2, e2, a2, b2, c2, w10, 15);
R41(c1, d1, e1, a1, b1, w2, 12);
R42(c2, d2, e2, a2, b2, w14, 8);
R51(b1, c1, d1, e1, a1, w4, 9);
R52(b2, c2, d2, e2, a2, w12, 8);
R51(a1, b1, c1, d1, e1, w0, 15);
R52(a2, b2, c2, d2, e2, w15, 5);
R51(e1, a1, b1, c1, d1, w5, 5);
R52(e2, a2, b2, c2, d2, w10, 12);
R51(d1, e1, a1, b1, c1, w9, 11);
R52(d2, e2, a2, b2, c2, w4, 9);
R51(c1, d1, e1, a1, b1, w7, 6);
R52(c2, d2, e2, a2, b2, w1, 12);
R51(b1, c1, d1, e1, a1, w12, 8);
R52(b2, c2, d2, e2, a2, w5, 5);
R51(a1, b1, c1, d1, e1, w2, 13);
R52(a2, b2, c2, d2, e2, w8, 14);
R51(e1, a1, b1, c1, d1, w10, 12);
R52(e2, a2, b2, c2, d2, w7, 6);
R51(d1, e1, a1, b1, c1, w14, 5);
R52(d2, e2, a2, b2, c2, w6, 8);
R51(c1, d1, e1, a1, b1, w1, 12);
R52(c2, d2, e2, a2, b2, w2, 13);
R51(b1, c1, d1, e1, a1, w3, 13);
R52(b2, c2, d2, e2, a2, w13, 6);
R51(a1, b1, c1, d1, e1, w8, 14);
R52(a2, b2, c2, d2, e2, w14, 5);
R51(e1, a1, b1, c1, d1, w11, 11);
R52(e2, a2, b2, c2, d2, w0, 15);
R51(d1, e1, a1, b1, c1, w6, 8);
R52(d2, e2, a2, b2, c2, w3, 13);
R51(c1, d1, e1, a1, b1, w15, 5);
R52(c2, d2, e2, a2, b2, w9, 11);
R51(b1, c1, d1, e1, a1, w13, 6);
R52(b2, c2, d2, e2, a2, w11, 11);
uint32_t t = s[0];
s[0] = s[1] + c1 + d2;
s[1] = s[2] + d1 + e2;
s[2] = s[3] + e1 + a2;
s[3] = s[4] + a1 + b2;
s[4] = t + b1 + c2;
}
} // namespace ripemd160
} // namespace
////// RIPEMD160
CRIPEMD160::CRIPEMD160() : bytes(0)
{
ripemd160::Initialize(s);
}
CRIPEMD160& CRIPEMD160::Write(const unsigned char* data, size_t len)
{
const unsigned char* end = data + len;
size_t bufsize = bytes % 64;
if (bufsize && bufsize + len >= 64) {
// Fill the buffer, and process it.
memcpy(buf + bufsize, data, 64 - bufsize);
bytes += 64 - bufsize;
data += 64 - bufsize;
ripemd160::Transform(s, buf);
bufsize = 0;
}
while (end >= data + 64) {
// Process full chunks directly from the source.
ripemd160::Transform(s, data);
bytes += 64;
data += 64;
}
if (end > data) {
// Fill the buffer with what remains.
memcpy(buf + bufsize, data, end - data);
bytes += end - data;
}
return *this;
}
void CRIPEMD160::Finalize(unsigned char hash[OUTPUT_SIZE])
{
static const unsigned char pad[64] = {0x80};
unsigned char sizedesc[8];
WriteLE64(sizedesc, bytes << 3);
Write(pad, 1 + ((119 - (bytes % 64)) % 64));
Write(sizedesc, 8);
WriteLE32(hash, s[0]);
WriteLE32(hash + 4, s[1]);
WriteLE32(hash + 8, s[2]);
WriteLE32(hash + 12, s[3]);
WriteLE32(hash + 16, s[4]);
}
CRIPEMD160& CRIPEMD160::Reset()
{
bytes = 0;
ripemd160::Initialize(s);
return *this;
}

28
cipher/ripemd160.h Normal file
View File

@ -0,0 +1,28 @@
// Copyright (c) 2014-2016 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#ifndef BITCOIN_CRYPTO_RIPEMD160_H
#define BITCOIN_CRYPTO_RIPEMD160_H
#include <stdint.h>
#include <stdlib.h>
/** A hasher class for RIPEMD-160. */
class CRIPEMD160
{
private:
uint32_t s[5];
unsigned char buf[64];
uint64_t bytes;
public:
static const size_t OUTPUT_SIZE = 20;
CRIPEMD160();
CRIPEMD160& Write(const unsigned char* data, size_t len);
void Finalize(unsigned char hash[OUTPUT_SIZE]);
CRIPEMD160& Reset();
};
#endif // BITCOIN_CRYPTO_RIPEMD160_H